Azure KeyVault – RBAC as a security best practice

Azure KeyVault – RBAC as a security best practice. For those who are new to this, I hope this essay will guide you in authorizing access to Azure KeyVault.

In KeyVault, there are currently two methods for specifying access to the data plane (secrets, certificates, and keys). Please see the table below:

FeatureAccess policyRBAC
Grant access to secrets/certificates/keysyesyes
Grant access to specific secret/certificate/keynoyes
Use groupsnoyes
Use Privileged Identity Management (PIM)noyes
Deny assignmentsnoyes
Centralized access management for administratorsnoyes
Use the same API for Azure servicesnoyes
Azure KeyVault RBAC vs. Access policy

As you see, almost every useful feature is available in the RBAC. For example, if you have an application that needs to read one secret, you can only give access to all the secrets. Do you see my point? This app requires one, but you give them access to 100 secrets!

We determined that RBAC is a superior strategy for granting access. Let’s have a look at how to do so with Terraform. If you’re familiar with Terraform, you can get to the sources here. Enjoy!

First step, create KeyVault, with RBAC authorization enabled:

Next step: Add permission for the current user to add a secret:

We can add a new secret in the KeyVault, pay attention to the depends_on block. We must add it because we don’t have a direct reference to the role assignment, without it our execution will fail due to lack of permission.

We have a secret in the KeyVault, so we can add permission for it. Again, pay attention to the scope argument (resource_versionless_id) and principal_id (user for which permission is. granted).

In my example, I’m using User Managed Identity, which I obtained using below code:

Remember that your account, in which context you execute Terraform, needs to have Owner permission on the Resource group or Subscription. Without the owner’s permission, you cannot assign roles.

In the documentation, you can find all defined roles for the Azure KeyVault data plane:

Leave a Reply

Your email address will not be published. Required fields are marked *